The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS).
The vulnerability was found by the company SiteLock.
The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program.
The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning.
The vulnerability can be tested with:
curl -X POST -d "vendor_description=<script>alert("xss")</script>" "https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1®ister=Register&username=1&vendor_description=1&vendor_name=
curl -X POST -d “vendor_description=alert(“xss”)” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1®ister=Register&username=1&vendor_description=1&vendor_name=
Pingback: WordPress Vulnerabilities: Top 4 Security Threats in 2021- WPSec